Consumer Tech
A lover of Android, keyboards, and other things that go beep.

Fortnite on Samsung.

Ryan Whitwam

Epic Games made news when it announced that it would not distribute Fortnite through the Play Store. By offering the game for download on its website, Epic Games can avoid paying Google a 30% cut of in-app purchase sales. However, installing APK files outside of the Play Store requires disabling some security features and is not recommended for novice users. Many observers worried aloud this approach could cause trouble, and it took Epic Games no time at all to prove those concerns justified. The first Fortnite installer for Android included a flaw that could allow other apps to load malware instead of the game.

To install Fortnite on your Android phone, you first install a "helper" app that downloads the game to your phone's storage and installs it. It turns out, any app on a user's phone with the WRITE_EXTERNAL_STORAGE permission could intercept the install command and substitute another APK. For example, one that loads malware. This is called a "man in the disk" attack.

On Samsung phones, which had a short-lived exclusive on Fortnite, the game is installed via a private Galaxy Apps API that makes the process even easier. Any app with the right package name (com.epicgames.fortnite) can pretend to be Fortnite and get itself installed silently in the background. Again, that could be malware.

Google developers noted this flaw as soon as the game launched on Android. A thread on the Android issue tracker provides details and video proof of the vulnerability. Epic Games responded and got to work on a fix. In fairness, it rolled out a new version of the installer that doesn't allow APK substitution in a few days. However, that does not absolve Epic Games of responsibility here. Its decision to skip the Play Store has already put users at risk. Who's to say something like this won't happen again? It may seem like a good business decision to distribute outside the Play Store, but Epic could hurt itself in the long run if it contributes to users getting malware.